<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AWS Key Management Service - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/aws-key-management-service/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/aws-key-management-service/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS KMS Key User Performing S3 Encryption</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-kms-s3-encryption/</guid><description>Detection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.</description><content:encoded><![CDATA[<p>This detection focuses on identifying AWS Identity and Access Management (IAM) users who are actively utilizing Key Management Service (KMS) keys to encrypt data within Simple Storage Service (S3) buckets. While not inherently malicious, such activity warrants monitoring as it could signify insider threats, compromised accounts, or unauthorized data handling procedures. Attackers might leverage stolen credentials or compromised IAM roles to encrypt data using KMS, potentially as a precursor to data exfiltration or ransomware-like activity targeting cloud storage. This activity should be considered especially concerning if the KMS keys being used are outside the user's normal operational scope.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role.</li>
<li>The attacker enumerates available S3 buckets and identifies a target bucket containing sensitive data.</li>
<li>The attacker identifies or creates a KMS key within the AWS environment.</li>
<li>The attacker configures the target S3 bucket to use the identified KMS key for encryption of objects stored within it.</li>
<li>The attacker uploads or modifies objects within the S3 bucket, triggering encryption using the KMS key.</li>
<li>The attacker attempts to exfiltrate the encrypted data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized access to sensitive data stored within S3 buckets. Depending on the nature of the data, this could result in financial losses, reputational damage, and legal repercussions. Furthermore, if the attacker controls the KMS key, they could render the data inaccessible, effectively holding it hostage. The impact can vary based on the scope of the compromised data and the attacker's objectives, potentially affecting customer data, intellectual property, or critical business information.</p>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>kms</category><category>s3</category><category>cloud</category><category>encryption</category></item><item><title>AWS KMS Key Creation with Public Encryption Policy</title><link>https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-creation/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-aws-kms-key-creation/</guid><description>An attacker may create AWS KMS keys with a permissive encryption policy, granting `kms:Encrypt` permissions to all principals, potentially leading to unauthorized encryption and data compromise across multiple organizations.</description><content:encoded><![CDATA[<p>This analytic identifies the creation of AWS Key Management Service (KMS) keys configured with an encryption policy that grants broad access, including potentially external entities. The activity is detected by monitoring AWS CloudTrail logs ingested via Amazon Security Lake for <code>CreateKey</code> and <code>PutKeyPolicy</code> events. Specifically, the rule flags instances where the <code>kms:Encrypt</code> action is permitted for all principals (&quot;*&quot;). This misconfiguration can indicate a compromised AWS account, which could then be leveraged to misuse the encryption key, potentially targeting other organizations and their data. Successful exploitation allows an attacker to encrypt data, leading to operational disruptions and data breaches, especially if the key is used across multiple organizations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises an AWS account, possibly through credential theft or a vulnerability in an application running within the environment.</li>
<li>The attacker uses the compromised AWS credentials to authenticate to the AWS Management Console or via the AWS CLI/API.</li>
<li>The attacker issues a <code>CreateKey</code> API call to create a new KMS key using the AWS KMS service.</li>
<li>The attacker issues a <code>PutKeyPolicy</code> API call to set the encryption policy for the newly created KMS key.</li>
<li>The attacker configures the KMS key policy to grant <code>kms:Encrypt</code> permissions to all principals, effectively making the key publicly usable for encryption operations.</li>
<li>The attacker (or another entity) uses the publicly accessible KMS key to encrypt data, potentially rendering it inaccessible to legitimate users.</li>
<li>The attacker leverages the unauthorized encryption to disrupt services, extort victims, or cause reputational damage.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this misconfiguration can lead to unauthorized data encryption, potentially disrupting operations and compromising sensitive information across multiple entities. The broad encryption policy allows any principal, including malicious actors, to encrypt data using the KMS key. This can result in data unavailability, extortion attempts, and significant reputational damage. A single compromised key can affect numerous organizations if the key is accessible and used across those entities, increasing the scope and severity of the impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect AWS KMS Key Creation with Public Encryption Policy</code> to your SIEM and tune for your environment to identify KMS key creation with broad encryption permissions based on Amazon Security Lake logs.</li>
<li>Investigate any alerts generated by the Sigma rule by examining the <code>api.request.data</code> field in the CloudTrail logs for suspicious principal configurations.</li>
<li>Review and remediate any existing KMS keys with overly permissive encryption policies, restricting access to only authorized principals.</li>
<li>Implement multi-factor authentication (MFA) for all AWS accounts to reduce the risk of account compromise and unauthorized key creation.</li>
<li>Monitor CloudTrail logs for suspicious API calls related to KMS key management, such as <code>CreateKey</code>, <code>PutKeyPolicy</code>, and <code>Encrypt</code> operations using the <code>amazon_security_lake</code> data source.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>aws</category><category>kms</category><category>encryption</category><category>misconfiguration</category><category>ransomware</category></item></channel></rss>